• 0800 0862018
  • This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Mon - Fri 8:00 - 17:00

Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. Research projects and GDPR
Best Practice Updates

Research projects and GDPR

Research projects have quite a bit of leeway in GDPR - and whereas GDPR tightened a lot of things up from the old data protection directive, it actually frees up a lot relating to research.

Firstly, what GDPR says (Art 5) is that data must be processed for explicit purposes only...and in relation to school's that's usually a child's education. And GDPR doesn't really like alternate purposes for processing, except in certain circumstances - so Art 5.1(b) tells us that "further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes". We'll come back to Article 89 later.

And the GDPR also has a fairly broad brush about what constitutes research (Recital 159). It is, however, safe to say that research applies to projects that are declared as research with aims, objectives and methodology declared and approved by an organisation in advance. A pet project of a teacher who collects data for personal "research" doesn't qualify. It can't be applied as a purpose after the fact. Whilst Recital 33 states that it:

"is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of collection”',

this refers to secondary research processing, where datasets collected for research may be used in further research projects. 

The lawful basis is the key - do we need consent for this processing? Well, the initial purpose is processed under the lawful basis on "a task in the public interest". Any further processing for other purposes is only allowed when it's compatible with the original purpose (Art 6.4) - ie. a task in the public interest. And though the derogation from GDPR in Section 8 of the Data Protection Act 18, doesn't define research as a task in the public interest,  Recital 50 we find that:

"Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations." 

That's why Article 6.4 allows additional processing operations that are compatible. 

We still need a lawful basis, even if research is not incompatible with the initial basis - most research, in this case, would be conducted under legitimate interest - but you need to define how your interest outweighs that of the data subjects.

So consent might not be the way to go (though you can if you wish - it would be valid if you could ensure it's unambiguous what the data is used for (see the point about Article 33 above).

So back to Article 89, which deals with the safeguards in place, and that means in research projects all the GDPR organisational and technical measures should be adhered to, it doesn't allow shortcuts. Data minimisation, other data rights, the organisational and technical measures required to secure data - all still apply. Article 89 also refers to pseudonymisation - for example, do you need to use real student names,? Another thing to consider would be whether the data can be anonymised? If you can anonymise the data completely, then it wouldn't even fall under GDPR (though complete anonymisation is rarely possible, especially with larger datasets).

Consider whether your research data needs the content of lessons, or to associate that content with individually identifiable students? If only the former, think about how personal data can be removed from your research files. If you only need statistics, don't collect the personal data - just identify Student A, Student B etc. Minimise the personal data collected, not the data required for your research.

Where are you storing the data? Is it secure? Is it encrypted? Who else has access to it? All questions that need to be thought about - and if you aren't sure a data privacy impact assessment needs to be done. For example, don't store your research USB drive. Find some secure cloud storage appropriate, as long as the appropriate security protocols are in place.

You still need to send a letter to data subjects or parents/carers, but not a consent form. It would be a notice of the processing and the rights available (and not all data subject rights apply to research data) (Article 13). Remember that there should be a privacy notice for children too, written in clear language that they understand. That is unless the nature of letting the data subjects know would impact on the nature of the study (Art 14.5.b)

Data subjects can object to the processing (the opt-out option that you proposed) and request erasure, but these objections can be overridden if it would impact on the research.

 

 

©2024 Data Protection Education Ltd.

Search

  • News